search for: ssl_username_from_cert

...00UniqueIdentifier=user2 With the attached patch the user is taken from this extension and e.g. with userdb=ldap you can use the filter string user_filter = (&(objectClass=posixAccount)(uid=%u)) A good solution to use booth, the common name and the UniqueIdentifier is to extend settings like ssl_username_from_cert = no | yes | cn | uid where "yes" is similar to "cn". Regards, Sandro Wefel -------------- next part -------------- A non-text attachment was scrubbed... Name: NID_x500UniqueIdentifier.diff Type: text/x-patch Size: 696 bytes Desc: not available URL: <http://dovecot.org/piper...

Dear List If ssl_username_from_cert = yes then setting of auth_username_chars is not respected. (It may be that anything goes in that case) Also how can I include space (0x20) in auth_username_chars if I don't use ssl_username_from_cert = yes Thanks mr.wu

...I've successfully installed/configured dovecot 1.2.10 with "require client cert" on centos 5.4 and ubuntu server 9.10 I also need to install on centos 4.8 and after the following the exact same procedure I can only get it working if I commented out ssl_require_client_cert =yes and ssl_username_from_cert = yes from the working config file. This is even after compiling dovecot with openssl 0.9.8l on centos 4.8 If I copy the same "client_ca.crt" from centos 4.8 to centos 5.4 then centos 5.4 does not problem in verifying client cert. That file contain CRL as well as certificate which sign...

...- imap/pop3 proxy feature was broken - fixed an assert-crash in ostream-file.c that was only in the pre-release And some more changes since alpha3 that I didn't mention before: - zlib plugin updated in http://dovecot.org/patches/1.0/zlib-plugin.tar.gz to be much faster than before - Added ssl_username_from_cert setting. Not actually tested yet, does it work? - epoll was broken with 64bit systems - Added deny password databases. - Dovecot can be run from inetd again - Index breakage/crashfix related to adding new keywords -------------- next part -------------- A non-text attachment was scrubbed... Na...

Q1) I can't get ssl_verify_client_cert=yes working. The ssl key and cert are signed using our CA. Also the ssl_ca_file has a CRL appended (no revokes yet). Expected behavior: Stop the SSL (the client doesn't have a cert installed) Current behavior: Mail clients accepts SSL and login succeeds. (both Evolution and Thunderbird). My bad? Please advise. Q2) The next step, if dovecot blocks

...4567890.-_@ username_translation: username_format: master_user_separator: anonymous_username: anonymous krb5_keytab: gssapi_hostname: winbind_helper_path: /usr/bin/ntlm_auth failure_delay: 2 verbose: no debug: no debug_passwords: no ssl_require_client_cert: no ssl_username_from_cert: no use_winbind: no count: 1 worker_max_count: 30 process_size: 256 passdb: driver: pam args: deny: no pass: no master: no userdb: driver: passwd args: -----8<----- Please let me know if you need more. Thank you in advance! Regards, Rob

Hi! I'd like to configure dovecot to use only TLS client certificates for authentication. After the user presented a client certificate and that certificate was verified, no password-based authentication should be necessary anymore. Is this currently possible? Or would this require support for the SASL EXTERNAL mechanism? Regards, Martin

...checks the client certificate against the crl for our root cert. (so you can't use a revoked client cert.) c) returns the CommonName from the client cert. in ssl_proxy_get_peer_name (this way it's easier to use dovecot as imap-proxy with a passwd-like userdb, ssl_require_client_cert and ssl_username_from_cert, it "binds" the emailuser to the clientcertificate, a clientcert. can access only the account from the userdb) in order to use it, the CAfile must be a file which contains the CAcertificate (pem format) followed by the CRL (also in pem format). (servercert and the clientcerts are sig...

Dear List, I have a few questions regarding dovecot sasl authentication that are somewhat related to each other. I have a working dovecot config with ---------- ssl_verify_client_cert = yes .. . ssl_require_client_cert = yes ssl_username_from_cert = yes --------------- (With this set up I need not set a correct user name in my mail client so long as I have it correctly in cert.) It turns out that I cannot export client socket to postfix to do smtp authentication unless I comment out ssl_require_client_cert=yes Does it mean that postfix is...

...(default): /usr/lib/dovecot/modules/imap mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3 pop3_uidl_format: %08Xu%08Xv auth default: mechanisms: plain login verbose: yes debug: yes debug_passwords: yes ssl_require_client_cert: yes ssl_username_from_cert: yes passdb: driver: pam args: session=yes mail userdb: driver: passwd socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix -- Daniel Black -- Proudly a Gentoo Linux User. Gnu-PG/PGP signed a...

...socket listen { master { path = /var/run/dovecot/auth-master mode = 0660 user = vmail group = vmail } client { path = /var/spool/postfix/private/auth mode = 0660 user = postfix group = postfix } } # # If you want client certificates, use these lines # ssl_require_client_cert = yes # ssl_username_from_cert = yes } namespace private { separator = . prefix = INBOX. inbox = yes } plugin { #quota = maildir # 10 MB + 1000 messages quota limit quota = maildir:storage=265000:messages=50000:ignore=Trash } ______________________ My dovecot-sql.conf is: driver = mysql connect = host=localhost dbna...

...hroot: username_chars: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ username_translation: username_format: master_user_separator: anonymous_username: anonymous krb5_keytab: verbose: no debug: no debug_passwords: no ssl_require_client_cert: no ssl_username_from_cert: no count: 1 worker_max_count: 30 process_size: 256 passdb: driver: sql args: /etc/dovecot_mysql.conf deny: no pass: no master: no userdb: driver: sql args: /etc/dovecot_mysql.conf userdb: driver: prefetch args: socket: type: li...

...le: /blah/server.crt ssl_key_file: /blah/server.key ssl_key_password: ssl_parameters_regenerate: 168 ssl_cipher_list: ALL:!LOW:!SSLv2 ssl_cert_username_field: commonName ssl_verify_client_cert: yes disable_plaintext_auth: no auth default: mechanisms: plain login ssl_require_client_cert: no ssl_username_from_cert: no I analyzed the connection on 993 with Wireshark and apparently all is good: it's encrypted, I see the certificate exchanges taking place. But I am worried about authenticating the connections from the iPhone and I would like to configure "ssl_require_client_cert: yes" so that...

Hi, I am using dovecot: 1.0.rc15 I was upgrading Debian and installed new versions of lots of things. My mail came fine and I though there was not problem until a user called and said it was not working through webmail. I tried, it it worked fine and I realized the problem was with dovecot. I have created new users, tried different UIDs. Removed any protections but when I telnet to the

...auth default { mechanisms = plain login passdb ldap { args = /usr/local/etc/dovecot-ldap.conf } userdb ldap { args = /usr/local/etc/dovecot-ldap.conf } user = nobody count = 1 ssl_require_client_cert = no ssl_username_from_cert = no #Postfix Auth socket listen { client { path = /var/spool/postfix/private/auth mode = 0660 user = postfix group = postfix } } } Whole dovecot-ldap.conf: hosts = 192.168.8....

...le: /opt/libexec/dovecot/imap-login login_user: guest login_processes_count: 2 login_max_processes_count: 4 mbox_write_locks: fcntl mail_process_size: 512 imap_client_workarounds: outlook-idle tb-negative-fetch auth default: user: admin verbose: yes debug: yes ssl_require_client_cert: yes ssl_username_from_cert: yes passdb: driver: passwd-file args: /opt/etc/dovecot/h.org/passwd userdb: driver: passwd This is a log of a login attempt: dovecot: May 25 11:55:58 Info: auth(default): new auth connection: pid=22556 dovecot: May 25 11:56:08 Info: imap-login: Valid certificate: /O=home.org/email...

...RSTUVWXYZ01234567890.-_@ username_translation: username_format: master_user_separator: anonymous_username: anonymous krb5_keytab: gssapi_hostname: winbind_helper_path: /usr/bin/ntlm_auth failure_delay: 2 verbose: no debug: no debug_passwords: no ssl_require_client_cert: no ssl_username_from_cert: no use_winbind: no count: 1 worker_max_count: 30 process_size: 256 passdb: driver: pam args: deny: no pass: no master: no userdb: driver: passwd args: plugin: sieve_extensions: +imapflags sieve_dir: ~/.mail/sieve

...JKLMNOPQRSTUVWXYZ01234567890.-_@ username_translation: username_format: master_user_separator: anonymous_username: anonymous krb5_keytab: gssapi_hostname: winbind_helper_path: /usr/bin/ntlm_auth failure_delay: 2 verbose: no debug: no debug_passwords: no ssl_require_client_cert: no ssl_username_from_cert: no use_winbind: no count: 1 worker_max_count: 30 process_size: 256 passdb: driver: sql args: /etc/dovecot/dovecot-sql.conf deny: no pass: no master: no userdb: driver: passwd args: userdb: driver: prefetch args: userdb: driver: sql args: /etc/dovecot/dovecot-sql.conf socket:...

...username_chars: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ username_translation: username_format: master_user_separator: anonymous_username: anonymous krb5_keytab: gssapi_hostname: verbose: no debug: yes debug_passwords: no ssl_require_client_cert: no ssl_username_from_cert: no count: 1 worker_max_count: 30 process_size: 256 passdb: driver: pam args: session=yes dovecot deny: no pass: no master: no userdb: driver: passwd args: --------------------------

...chroot: username_chars: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ username_translation: username_format: %n@%d master_user_separator: anonymous_username: anonymous krb5_keytab: verbose: yes debug: yes debug_passwords: yes ssl_require_client_cert: no ssl_username_from_cert: no count: 1 worker_max_count: 30 process_size: 256 passdb: driver: sql args: /etc/dovecot/dovecot-sql.conf deny: no pass: no master: no userdb: driver: sql args: /etc/dovecot/dovecot-sql.conf socket: type: listen client: path: /var/spool/postfi...